b'                         U.S. Department of Agriculture\n\n                            Office of Inspector General\n                             Financial & IT Operations\n\n\n\n\n               Audit Report\n\nStatement on Auditing Standards No. 70 Report\non the National Information Technology Center\n  General Controls Review \xe2\x80\x93 Fiscal Year 2009\n\n\n\n\n                               Report No. 88501-13-FM\n                                      September 2009\n\x0c                       UNITED STATES DEPARTMENT OF AGRICULTURE\n                                  OFFICE OF INSPECTOR GENERAL\n\n                                       Washington D.C. 20250\n\n\n\n\nSeptember 4, 2009\n\nREPLY TO\nATTN OF:      88501-13-FM\n\nTO:           Christopher L. Smith\n              Chief Information Officer\n              Office of the Chief Information Officer\n\nTHROUGH: Sherry Linkins\n         Office of the Chief Information Officer\n         Information Resources Management\n\nFROM:         Robert W. Young             /s/\n              Assistant Inspector General\n               for Audit\n\nSUBJECT:      Statement on Auditing Standards No. 70 Report on the National Information\n              Technology Center General Controls Review - Fiscal Year 2009\n\n\nThis report presents the results of our Statement on Auditing Standards (SAS) No. 70 audit at the\nOffice of the Chief Information Officer/National Information Technology Center (OCIO/NITC)\nas of June 30, 2009. The audit was conducted in accordance with Government Auditing\nStandards issued by the Comptroller General of the United States and the American Institute of\nCertified Public Accountants Standards that are commonly referred to as a SAS No. 70 audit.\nThis report contains an unqualified opinion on the general control environment and does not\ncontain recommendations. The projection of any conclusions based on our audit findings to\nfuture periods are subject to the risk that changes may alter the validity of such conclusions.\nThis report is intended solely for the management of OCIO/NITC, its customer agencies, and\ntheir auditors.\n\nWe appreciate the courtesies and cooperation extended to us during this review.\n\x0cExecutive Summary\nStatement on Auditing Standards No. 70 Report on the National Information\nTechnology Center General Controls Review - Fiscal Year 2009 (Audit Report No.\n88501-13-FM)\n\nResults in Brief   This report presents the results of our Statement on Auditing Standards\n                   No. 70 audit of the Office of the Chief Information Officer/National\n                   Information Technology Center\xe2\x80\x99s (OCIO/NITC) internal controls as of\n                   June 30, 2009.       Our review was conducted in accordance with\n                   Government Auditing Standards issued by the Comptroller General of the\n                   United States including American Institute of Certified Public\n                   Accountants Professional Standards as amended by applicable statements\n                   on auditing standards.\n                   Our objectives were to perform procedures necessary to express opinions\n                   about whether (1) OCIO/NITC\xe2\x80\x99s description of controls in exhibit A\n                   presents fairly, in all material respects, the aspects of OCIO/NITC\xe2\x80\x99s\n                   controls that may be relevant to a customer agency\xe2\x80\x99s internal control as it\n                   relates to an audit of financial statements; (2) the controls included and/or\n                   referenced were placed in operation and suitably designed to achieve the\n                   control objectives specified in the description, if those controls were\n                   complied with satisfactorily and customer agencies applied the controls\n                   contemplated in the design of OCIO/NITC\xe2\x80\x99s controls; and (3) the controls\n                   we tested were operating with sufficient effectiveness to provide\n                   reasonable, but not absolute, assurance that the control objectives\n                   specified were achieved during the period from July 1, 2008, through\n                   June 30, 2009.\n                   Our audit disclosed that the control objectives and techniques identified in\n                   exhibit A presented fairly, in all material respects, the relevant aspects of\n                   OCIO/NITC\xe2\x80\x99s controls. Also, in our opinion, the controls included in the\n                   description were suitably designed and operating with sufficient\n                   effectiveness to provide reasonable assurance that associated control\n                   objectives would be achieved if the described policies and procedures\n                   were complied with satisfactorily and customer agencies applied the\n                   controls specified in the OCIO/NITC description of controls.\nRecommendation\nIn Brief           We do not make any recommendations in this report.\n\n\n\n\nUSDA/OIG-A/88501-13-FM                                                                   Page i\n\x0cAbbreviations Used in This Report\n\n\n\nAD             Administrative Directive\nC&A            certification and accreditation\nCMITS          Configuration Management Information Tracking System\nCS             Cyber Security\nDAA            designated approving authority\nESM            External Security Mechanism\nFISMA          Federal Information Security Management Act of 2002\nGSS            General Support System\nID             identification\nIS             information system\nIT             information technology\nLID            logon identifiers\nNIST           National Institute of Standards and Technology\nOCIO           Office of the Chief Information Officer\nNITC           National Information Technology Center\nOIG            Office of Inspector General\nPIA            Privacy Impact Assessments\nPOA&M          plan of action & milestones\nRA             risk assessments\nSAS            Statement on Auditing Standards\nSD             Security Directive\nSSP            System Security Plan\nST&E           Security Test and Evaluation\nUSDA           U.S. Department of Agriculture\n\n\n\n\nUSDA/OIG-A/88501-13-FM                                                Page ii\n\x0cTable of Contents\n\nExecutive Summary ....................................................................................................................... i\n\nAbbreviations Used in This Report ............................................................................................. ii\n\nReport of the Office of Inspector General .................................................................................. 1\n\nExhibit A \xe2\x80\x93 Office of the Chief Information Officer/National Information Technology\n            Center - Description of Controls ............................................................................ 3\n\nExhibit B \xe2\x80\x93 Office of Inspector General, Review of Selected Controls .................................. 47\n\n\n\n\nUSDA/OIG-A/88501-13-FM                                                                                                          Page iii\n\x0c                       UNITED STATES DEPARTMENT OF AGRICULTURE\n                                   OFFICE OF INSPECTOR GENERAL\n\n                                        Washington D.C. 20250\n\n\n\n\nReport of the Office of Inspector General\nTo:    Christopher L. Smith\n       Chief Information Officer\n       Office of the Chief Information Officer\n\nWe have examined the controls identified or referenced in exhibit A for the U.S. Department of\nAgriculture\xe2\x80\x99s (USDA) Office of the Chief Information Officer/National Information Technology\nCenter (OCIO/NITC). Our examination included procedures to obtain reasonable assurance\nabout whether (1) the accompanying description of controls of the USDA\xe2\x80\x99s OCIO/NITC presents\nfairly, in all material respects, the aspects of OCIO/NITC\xe2\x80\x99s controls that may be relevant to a\ncustomer agency\xe2\x80\x99s internal control as it relates to an audit of financial statements; (2) the\ncontrols included in the description were suitably designed to achieve the control objectives\nspecified in the description, if those controls were complied with satisfactorily and customer\nagencies applied the controls contemplated in the design of OCIO/NITC\xe2\x80\x99s controls; and (3) such\ncontrols had been placed in operation as of June 30, 2009. The control objectives were specified\nby OCIO/NITC.\n\nOur audit was conducted in accordance with Government Auditing Standards issued by the\nComptroller General of the United States and the standards issued by the American Institute of\nCertified Public Accountants. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objectives.\n\nIn our opinion, OCIO/NITC\xe2\x80\x99s description of controls in exhibit A of this report presents fairly, in\nall material respects, the relevant aspects of OCIO/NITC\xe2\x80\x99s controls that had been placed in\noperation as of June 30, 2009. Also, in our opinion, the controls included or referenced in\nexhibit A were suitably designed to provide reasonable assurance that the specified control\nobjectives would be achieved if the described controls were complied with satisfactorily and\ncustomer agencies applied the controls contemplated in the design of OCIO/NITC\xe2\x80\x99s controls.\n\nIn addition to the procedures we considered necessary to render our opinion as expressed in the\nprevious paragraph, we performed tests to obtain evidence regarding the effectiveness of specific\ncontrols in meeting the control objectives included in exhibit A during the period from\nJuly 1, 2008, through June 30, 2009. The specific controls and the nature, timing, extent, and\nresults of our tests are identified in exhibit B. This information will be provided to customer\nagencies and their auditors to be taken into consideration, along with information about the\ninternal control at customer agencies, when making assessments of control risk for customer\nagencies. In our opinion, the controls that were tested were operating with sufficient\nUSDA/OIG-A/88501-13-FM                                                                      Page 1\n\x0ceffectiveness to provide reasonable, but not absolute, assurance that the control objectives\nspecified in exhibit A were achieved during the period from July 1, 2008, through June 30, 2009.\n\nThe relative effectiveness and significance of specific controls at OCIO/NITC and their effect on\nassessments of control risk at user organizations are dependent on their interaction with the\ncontrols and other factors present at individual customer organizations. We have performed no\nprocedures to evaluate the effectiveness of controls at individual customer agencies as part of\nthis audit.\n\nThe description of controls at OCIO/NITC is as of June 30, 2009, and information about tests of\nthe operating effectiveness of specific controls covers the period from July 1, 2008, through\nJune 30, 2009. Any projection of such information to the future is subject to the risk that,\nbecause of change, the description may no longer portray the controls in existence. The potential\neffectiveness of specific controls at OCIO/NITC is subject to inherent limitations and,\naccordingly, errors or fraud may occur and not be detected. Furthermore, the projection of any\nconclusions, based on our findings, to future periods is subject to the risk that (1) changes made\nto the system or controls, (2) changes in processing requirements, or (3) changes required\nbecause of the passage of time may alter the validity of such conclusions. Finally, the accuracy\nand reliability of data processed by OCIO/NITC and the resultant report ultimately rests with the\ncustomer agency and any compensating controls implemented by such agency.\n\nThis report is intended solely for the management of OCIO/NITC, its users, and their auditors.\n\n/s/\n\nRobert W. Young\nAssistant Inspector General\n for Audit\n\nAugust 28, 2009\n\n\n\n\nUSDA/OIG-A/88501-13-FM                                                                     Page 2\n\x0cThe subsequent sections of the report exhibit A (pages 3\nthrough 46) and exhibit B (pages 47 through 65), are not\nbeing publicly released due to the sensitive security\ncontent.\n\x0c'